Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

Ubuntu 22.04 & 23.04 Server ; SNORT3 Install

Snort3 Install

The default universe repository for Ubuntu22.04,23.04 is snort2.9 as shown below, so build, compile and install Snort3 from the source code

advance preparation

①Make sure your Ubuntu server is up-to-date and has the latest package list

①Build tools and dependency libraries required for build and installation.

②SNORT3 installation working directory creation

③Download and install DAQ

④Installed gperftools to improve speed when memory usage increases

Snort3 Download , Install

①Download and install Snort3

②Update shared libraries

④Ensure Snort is executed correctly

⑤Test Snort installation with default configuration file

Configure Snort3

①Check the name of the interface Snort listens on

The WAN interface f on which Snort is executed is enp0s3

➁Configure network interface card

Disable interface offloading so that Snort does not truncate packets larger than 1518 bytes
Check current status

Disable GRO since it is on.

Create and enable systemd service so that changes will take effect after system reboot

Contents of snort3-promisc.service

Reload configuration, start and enable services on startup

Configure rule sets

This time we will set community rules and local rules.
①Create folders and files needed for Snort rules

Create local rules

①To add a rule to detect ICMP traffic, put it in the local.rules file

➁test run

If normal, the output ends with the following line

➂Run Snort in detection mode on the interface (replace enp0s3 with the interface name) and log all alarms to the console by entering the following command

When pinging the server from another PC in the same network, the following appears on the console screen

Ctrl-C to stop Snort

④Edit snort.lua file to include local rules in snort.lua

⑤Run Snort

Pinging the server from another PC in the same network rewrites the alarm to the console.

Create community rules

①Download Snort3 Community Rules and save them in the rules directory

➁Edit configuration file

➂Update path to rules

Installing SnortOpenAppID

①Download OpenAppID Detector Package

➁Edit Snort configuration file

➂Configuration check

④Add the following line to Snort's local.rules file to add a new rule to detect Facebook traffic

⑤Check the syntax of the local.rules file

⑥Run Snort

When I open a new separate console screen and connect to Facebook, the following appears on the original console screen

Snort Log Settings

①Edit snort.lua configuration file

➁Check syntax

➂オSnort with option -A alert_fast none, option -l /var/log/snort to specify log directory

The following alert appears in the /var/log/snort/alert_fast.txt file

Run Snort in the background

①Create a non-logging system user account for Snort

②Create systemd service unit

Contents of snort3.service

restart

Set log file ownership and permissions

③Start Snort and allow it to run at system startup

Copied title and URL